- Removed #ifdef WINDOWS blocks in base code where the feature support can be conveyed by a failed POSIX API call
- Refactored password authentication code
- Other misc changes - Removed DebugBreak on Release Builds
- Logic to support conpty (currently disabled until validation is complete)
- fdopen() and fchmod() support for file handles
- support for auto updating known_hosts via ssh and ssh-keygen
- Support for dynamic Windows-size changes with PTY
- Changes to support OneCore SDK
- Test cases
Modified user principal name lookup to default to the implicit form (SamAccountName@DnsDomainName) if no explicit user principal name attribute is found on the account.
https://github.com/PowerShell/Win32-OpenSSH/issues/1213
Current group membership resolution though very effective, is very slow. In a typical domain joined enterprise machine, adding a simple entry like the following in sshd_config
AllowGroups administrators
will incur a long delay in remote session establishment as sshd tried to pull all groups associated with the domain user.
Changes in this PR optimize the general case scenarios where no wild cards are in use. Specifically rules like this are processed promptly:
AllowGroups group1, group2, group3 //with no wild cards
Match Group group1 //single group with no negation and wild cards
Optimization is done by resolve the groupname in rule immediately to SID and checking its membership against user token. Enumerating the entire group membership is done on a lazy on-demand basis.
Beyond the optimization, there are 2 functional changes
- removed domain prefix for builtin groups
- removed domain prefix'ed versions of local groups since we are strictly following the convention that local principals shouldn't have any domain qualification.
After creating a user token, the SeServiceLogonRight is now removed from the account so it does not create an orphaned reference in the local security policy.
Other small code changes for code style consistency within the file.
PowerShell/Win32-OpenSSH#1202
On certain machines, virtual tokens were not getting generated due to lack of required privileges. Fixed it by assigning them before doing LogonUserExExW. Consolidated runtime dll loading logic.
PowerShell/Win32-OpenSSH#1162
* Updates To Address OneCore Linking
- Modified generate_s4u_user_token() and sys_auth_passwd() to dynamically load TranslateNameW() to avoid OneCore static library linking.
- Modified getusergroups() to avoid Lsa* calls that are not present in OneCore libraries.
* Updates To Address OneCore Linking - Revisions
- Corrected failure detection logic when TranslateNameW() cannot be located.
Added support to run sshd as non-system. In this mode, sshd can authenticate only the user that sshd is running as, and only via public key authentication.
PowerShell/Win32-OpenSSH#1153
Modified getusergroups() to use s4u tokens to discover nested groups and return them in NetBiosName\GroupName format.
Modified get_passwd() to internally normalize names to NetBiosName\SamAccountName format and changed functions that use it to translate to UPN where necessary.
Removed unnecessary support functions used by previous version of getusergroups().
Various refactoring and function consolidation / simplification.
Addressed several buffer over-read issues.
PowerShell/Win32-OpenSSH#553
Issue: All SSHD unauthenticated workers are currently running as "sshd". Any compromised worker can snoop into the process space of one other worker, steal authentication payload and elevate itself.
Fix: Added logic to spawn the unauthenticated workers under the context of run time unique security identities that will provide complete isolation between these worker processes.
OpenSSh privilege separation model - http://www.citi.umich.edu/u/provos/ssh/privsep.html
Posix_spawn is implemented in POSIX adapter as an alternative to fork() that is heavily used in Privilege separation.
Additional state info is added to sshd to accommodate distinguishing the various modes (privileged monitor, unprivileged child, authenticated child).
Required service state (like config and host keys) is transmitted over pipes from monitor to child processes.
Changes to installation scripts and tests to accomodate new architectural changes
